Adobe Sign: End of Life for TLS 1.0 and 1.1 support

It’s very important that you ensure all users systems are TLS 1.2 compliant before April 9th 2018. Starting on this date, systems that are not TLS 1.2 compliant will lose access to the Adobe Sign service.

End of Life for TLS 1.0 and 1.1 support

What is TLS?

Transport Layer Security (TLS) is the most widely deployed security protocol used today for Web browsers and other applications that require data to be securely exchanged over a network.

You passively use it whenever you open a browser.

How does this effect you?

Because Adobe Sign is a web-based service, you engage with it through secured network connections. Those connections are secured by TLS.

As new browsers and operating systems are released, new security standards are added. However older release versions of a browser or OS will not be updated to include the newer standards.

As the acceptable level of security rises, these older, less secure applications must be left behind. That means you have to update your OS and browser versions so that secure sites can safely allow you to connect to them.

What is the impact?

Adobe has security compliance standards that require the end of life of older protocols and is mandating the use of TLS 1.2 in order to have the most up-to-date and secure version in use.

As a result, by April 9th 2018, if your system is not TLS 1.2 compliant, your system will not be allowed to make a connection to the Adobe Sign service.

What action is required?

You must move to TLS 1.2 by the second week of April 2018 or you will lose access to Adobe Sign service. For clients running web browsers: Use a supported browser. For a list of Adobe Sign supported browsers, read the system requirements.

Operating system support for TLS 1.2 requires:

Windows server: use Windows Server 2008 R2 or later

Windows desktop: use Windows 8 or later

OS X: use OS X 10.8 or later

Application framework support for TLS 1.2:

For Java: use Java 8 or later. Java 7 may be used but requires TLSv1.2 to be explicitly enabled by the application

For .NET: use .NET 4.6 or later. .NET 4.5 may be used but requires TLSv1.2 to be explicitly enabled by the application. .NET depends on TLS 1.2 support by Windows (see above)

For applications using OpenSSL: use OpenSSL 1.01 or later

FAQ

What is TLS? (a deeper dive)

Transport Layer Security (TLS) is a protocol that provides privacy and data integrity between two communicating applications. It's the most widely deployed security protocol used today, and is used for Web browsers and other applications that require data to be securely exchanged over a network.

According to the protocol specification, TLS is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol. The Record Protocol provides connection security, while the Handshake Protocol allows the server and client to authenticate each other and to negotiate encryption algorithms and cryptographic keys before any data is exchanged.

Is TLS vulnerable to hackers?

There have been documented attacks against TLS 1.0 using an older encryption method and the older versions are more vulnerable than the newest TLS 1.2.

Why is Adobe EOLing TLS 1.0 and 1.1?

Adobe has security compliance standards that require the EOL of older protocols. One of these is compliance with the Payment Card Industry (PCI). PCI DSS is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

PCI compliance mandates the use of TLS 1.1 or higher by Spring 2018.

Why is Adobe mandating the use of TLS 1.2 rather than allowing TLS 1.1 or TLS 1.2?

Adobe Sign has very low traffic on TLS 1.1 with ~80% using TLS 1.2 and ~20% using 1.0.

Rather than wait for another EOL that addresses 1.1 Adobe would like to mandate a move to 1.2 now so that the most secure version is in use.

What is the last date that I can use an older version of TLS with Adobe Sign?

Adobe would like to encourage all users to abandon the older versions as quickly as possible to avoid further exposure to vulnerabilities.

The latest that an Adobe Sign customer should expect to be able to use one of these older versions is April 8th 2018.

For more information please contact Adobe Sign support or your customer success manager.

For more information please contact Adobe Sign support or your customer success manager.

What if I send an agreement to a signer that hasn’t made the TLS changes.

Signers connect to Adobe Sign through the same SSL protocols as Senders. Any Signer that connects to Adobe will experience the browser error conditions mentioned below.

What error message will I see if I am using a browser that is not configured for TLS 1.2?

This depends on the browser that you are using. All of the browsers in the minimum system requirements list for Adobe Sign are configured to use TLS 1.2. If you are not on one of these browsers you should update your browser. You can find a list of the browsers supported by Adobe Sign here:

Error messages generated by the SSL communications layer are not controlled by Adobe Sign. They are generated by the browser prior to connecting to Adobe Sign. Here are some examples of errors that may be encountered:

IE 8 on Windows 7:

IE 11 on Windows 7. (IE 11 should enable TLS 1.2 by default but it can be turned off)

In this case turn on TLS 1.2 from the advanced settings dialog rather than the other 2 choices.